S&P Incorporates ERM into Credit Ratings—is Your Company Ready?

Page Content

You’ve probably read countless articles on the topic over the last year. And if your company is a non-financial, publicly-traded entity, your ERM program had better be in pretty good shape. Why? Because Standard & Poor’s (S&P) plans to eventually incorporate ERM into its corporate ratings. Lucky for you, this issue of RIMSCOPE provides a primer to help explain S&P’s expectations.

But first, some background on why risk managers need to pay close attention to this news.

Background

Since 2005, S&P has limited its risk management corporate evaluations to the finance and insurance sector. But, in early 2008, S&P decided it was time to expand its evaluations of all companies to include ERM and started the ball rolling on their plans.

To be fair, S&P is using this new approach for rating risk management capabilities, not as a direct response to the financial crisis that hammered Wall Street last year, but with the idea that ERM is an important aspect of a company’s overall business practices and credit worthiness.“We believe that a deeper dive on risk management will lead us to a more forward-looking credit opinion,” says Steven J. Dreyer, managing director of U.S. Utilities and Infrastructure, Corporate and Government Ratings, at Standard & Poor’s. “Companies that can better anticipate and respond to adversity and opportunity should realize stronger earnings and cash flow—important drivers of a credit rating.”

As a result of the new guidelines, many corporations now are taking a closer look at their ERM programs, even considering having the organization’s chief risk officer (if they have one) report to a dedicated risk committee of the board.Many risk managers are also giving top priority to their ERM programs by allocating appropriate resources and staffing to oversee them.“Prudent risk managers across industries should be closely monitoring the S&P’s expansion of its ERM rating process,” says Jeff Vernor, ARM, chair, ERM Development Committee of RIMS and global risk manager at Russell Investments.“As credit risk continues to be a top risk for most firms in this environment, the effectiveness of a company’s ERM program can be a real differentiator when selecting vendors, partners or making debt purchase decisions.The ERM corporate ratings could prove to be a useful addition to the risk manager’s toolkit.”

What’s happening right now?

Since making the announcement in 2008, S&P has begun discussions with companies it rates to collect information that will help it develop reliable ERM benchmarking and eventually publish evaluation guidelines. These discussions are part of the regularly scheduled review meetings that S&P conducts.

What companies can expect from meetings with S&P

At these review meetings organizations will be asked some tough questions about their ERM programs. Here is a sampling of questions that will be addressed:

What are the company’s top risks, how big are they and how often are they likely to occur? How often are the top risks re-evaluated and updated?

What is top management doing about top risks?

What quarterly operating or cash loss has management and the board agreed is tolerable?

Who is responsible for risk management programs and their place in the organizational chart.

How is the success of risk management activities measured?

How would a loss from a key risk impact incentive compensation of top management, as well as planning and budgeting?

What discussions about risk management have taken place at the board level or among top management when making strategic decisions?

Give an example of how your company responded to a recent “surprise” in your industry and describe whether the incident/issue affected your company.

Risk managers are perhaps the most appropriate people in the organization to help achieve a favorable ERM evaluation. However, critical thinking and thoughtful planning will require risk managers to grow beyond their current roles. They will need to think and act more strategically—and to demonstrate that a comprehensive, robust ERM program should not be considered an “add-on” to an existing risk assessment and compliance program.

Conclusion

To ensure they are prepared for these revamped guidelines, risk managers should be cognizant of the resources and staff that are allocated to ERM programs, and make certain they are adequate.Risk managers should prepare for S&P review meetings by taking a closer look at their ERM programs and ensuring they can thoroughly answer questions about their organizations’ respective top risks and how they are measuring progress with regard to ERM.

Resources such as RIMS Risk Maturity Model to help get risk managers up-to-speed on ERM can be found in RIMS ERM Center of Excellence.